Your Achievements
Level 1
0% to
Level 2
Next /
to gain points, level up, and earn exciting badges like the new Applaud 5 BadgeLearn more!
View All BadgesSign in to view all badges
Open Alert Bar

SPF: The Top Things That Can Go Wrong

John_M
Marketo Employee
Marketo Employee
‎03-24-2016 11:11 AM

Previously I talked about creating nested SPF entries, but as was pointed out to me by our excellent deliverability team and Kiersti Esparza​ specifically.. there is another way to handle this, and there are a few things we commonly see as misconfigurations and causes of breakage with SPF, and I'll talk about them here! If you have a large set of IPs and or domains and want to include them ALL in SPF, it can get out of hand quite quickly.

Character String Length

SPF records have a limit of 255 characters in a single string. Any more than that and the record will come back as invalid. We have some workarounds, however...

Approach 1 - Multiple Strings

To have more than 255 characters in an SPD record, the record can be broken into multiple strings. The strings are then concatenated together, without spaces, as shown.

IN TXT "v=spf1 .... first" " second string..."

MUST be treated as equivalent to

IN TXT "v=spf1 .... first second string..."

EXAMPLE

text = "v=spf1 ip4:199.15.212.0/22 ip4:72.3.185.0/24 ip4:72.32.154.0/24 ip4:72.32.217.0/24 ip4:72.32.243.0/24 ip4:94.236.119.0/26  ip4:37.188.97.188/32 ip4:185.28.196.0/22 ~all"

(could be)

text = "v=spf1 ip4:199.15.212.0/22" " ip4:72.3.185.0/24 ip4:72.32.154.0/24 ip4:72.32.217.0/24" " ip4:72.32.243.0/24 ip4:94.236.119.0/26" " ip4:37.188.97.188/32 ip4:185.28.196.0/22 ~all"

Approach 2 - Some more detail on the previous blog - Nested or Cascaded entries

This example if for Marketo.com, and you can see that marketo.com is the top level SPF entry.

In this case, the marketo.com SPF record includes a number of other, different SPF records.  (include:_spf.salesforce.com include:spf.protection.outlook.com include:mktomail.com include:email.influitive.com include:stspg-customer.com)

All entries in the “included” entries are now considered to be part of the marketo.com record.

A great tool to see all nested records in an SPF record is the DMARCIAN SPF Surveyor.

Screen Shot 2016-03-24 at 11.05.19 AM.png

Screen Shot 2016-03-24 at 11.05.31 AM.pngCaveat: This approach has limits There is a limit of 10 additional “include:” records in an SPF record. The "include", "a", "mx", "ptr", and "exists" mechanisms as well as the "redirect" modifier count against this limit of 10, but the "all", "ip4", and "ip6" mechanisms do not count against this limit.

Also remember, when you “include:” a record in your SPF record, then your record now includes all mechanisms in the “include:” record.  So if your SPF record has 1 “include:”, but the SPF record you are including has 10 already, then your record will now have 11 and will break!

Null Records in the SPF Record

A record that is NULL or does not exist will break an SPF record.  This means be extra careful about typos in your record.  If you “include:” a domain that doesn’t exist, this will break your record.

Repetitive Records in the SPF Record

In order to prevent against unnecessary processing that can cause mail systems to slow down repeated mechanisms aren’t allowed.  There is a MAX of 2 repeated look ups in an SPF record.  More than that and the record will break.  This prevents SPF records from being used in Denial of Service style attacks.

If we have learned anything at Marketo over the years it is that DNS for email is hard!  We have experts on our team who can help unravel the most complicated SPF records.  Raise your hand and let us know if you need help.

3
Bookmark
1649
1
1 Comment
SanfordWhiteman
Level 10 - Community Moderator
Level 10 - Community Moderator
‎03-24-2016 01:42 PM
‎03-24-2016 01:42 PM

A record that is NULL or does not exist will break an SPF record.  This means be extra careful about typos in your record.

Not all mechanisms that have no answers (but where the domain does exist) will instantly break an SPF record.  You can have up to 2 lookups during MX or A resolution that return "no answer/no error," for example, and your record is still fine.  These are called void lookups.

It is true that a single include: mechanism whose initial DNS resolution results either in "no answer/no error" or in an explicit error will instantly break the parent SPF record.

Also, a "null record" has specific meaning in SPF (a record that reads "v=spf1 -all") which is quite different from "a DNS result with no answers" (what you presumably mean by "NULL").  I advise using less ambiguous terminology.

In order to prevent against unnecessary processing that can cause mail systems to slow down repeated mechanisms aren’t allowed.  There is a MAX of 2 repeated look ups in an SPF record.

I don't know what you're referring to here.  "Repeated lookups" is not an SPF term.

And don't worry, you can credit my advice to anyone else you want.  I am just looking for correct information to be published.

Kiersti Esparza

Home